With the VMware Host Client, you can manage advanced host settings, assign or remove licenses to your host, configure start and stop policies for host services, and manage time and date configuration for the host.

Manage Advanced Settings in the VMware Host Client

You can change the settings of a host by using the VMware Host Client.

Caution: Changing advanced options is considered unsupported unless VMware technical support or a KB article instruct you to do so. In all other cases, changing these options is considered unsupported. In most cases, the default settings produce the optimum result.

Procedure

  1. Click Manage in the VMware Host Client inventory and click System.
  2. Click Advanced settings.
  3. Right-click the appropriate item from the list and select Edit option from the drop-down menu.
    The Edit option dialog box is displayed.
  4. Edit the value and click Save to apply your changes.
  5. (Optional) Right-click the appropriate item from the list and select Reset to default to go back to the original settings of the item.

Create an Initial Welcome Message for the Direct Console User Interface and the VMware Host Client

By using the VMware Host Client, you can create a welcome message that appears on the initial screen of the Direct Console User Interface (DCUI) and on the login window of the VMware Host Client. You can also create a welcome message that appears after a user logs into the VMware Host Client and decide whether to display the welcome message.

Procedure

  1. Click Manage in the VMware Host Client inventory and click Advanced Settings.
    Option Action
    Create a welcome message that appears before you log in to DCUI and VMware Host Client
    1. Enter Annotations.WelcomeMessage in the Search text box and click the Search icon.
    2. Right-click Annotations.WelcomeMessage and select Edit option from the drop-down menu.

      The Edit option dialog box opens.

    3. In the New value text box, enter the welcome message.

      To set the default message, leave the New value text box blank.
    Create a welcome message that appears after you log in to the VMware Host Client
    1. Enter UserVars.HostClientWelcomeMessage in the Search text box and click the Search icon.
    2. Right-click UserVars.HostClientWelcomeMessage and select Edit option from the drop-down menu.

      The Edit option dialog box opens.

    3. In the New value text box, enter the welcome message.

      To set the default message, leave the New value text box blank.
    Activate or deactivate the appearance of the welcome message after you log in to the VMware Host Client
    1. Enter UserVars.HostClientEnableMOTDNotification in the Search text box and click the Search icon.
    2. Right-click UserVars.HostClientEnableMOTDNotification and select Edit option from the drop-down menu.

      The Edit option dialog box opens.

    3. In the New value text box, enter the new value.

      A value of zero (0) deactivates the appearance of the welcome message.

      A value of one (1) activates the appearance of the welcome message.
  2. Click Save.
  3. (Optional) To reset the key setting to default, right-click the appropriate key from the list and select Reset to default.

Configure the VMware Host Client User Interface Session Timeout

In VMware Host Client, the User Interface session automatically times out every 15 minutes and then you must log back in to the VMware Host Client.

You can increase the default inactivity timeout by changing an advanced configuration parameter. The default value is 900 seconds.

Procedure

  • Configure the User Interface session timeout.
    Option Action
    From the VMware Host Client Advanced Settings
    1. Click Manage in the VMware Host Client inventory and click Advanced Settings
    2. Enter UserVars.HostClientSessionTimeout in the Search text box and click the Search icon.
    3. Right-click UserVars.HostClientSessionTimeout and select Edit option from the drop-down menu.

      The Edit option dialog box opens.

    4. In the New value text box, enter the timeout setting in seconds.
      Note: A value of zero (0) deactivates the timeout.
    5. Click Save.
    6. (Optional) To reset the key setting to default, right-click the appropriate key from the list and select Reset to default.
    From the User Settings drop-down menu
    1. Click the user name at the top of the VMware Host Client window and select Settings > Application timeout > .
    2. To specify the inactivity timeout, select the time.
    3. To deactivate the inactivity timeout, select Off.

Configure the SOAP Session Timeout in the VMware Host Client

In VMware Host Client you can configure the SOAP session timeout.

Procedure

  1. Click Manage in the VMware Host Client inventory and click Advanced Settings.
  2. Enter Config.HostAgent.vmacore.soap.sessionTimeout in the Search text box and click the Search icon.
  3. Right-click Config.HostAgent.vmacore.soap.sessionTimeout and select Edit option from the drop-down menu.
    The Edit option dialog box opens.
  4. In the New value text box, enter the timeout setting in seconds.
    A value of zero (0) deactivates the timeout.
  5. Click Save.
  6. (Optional) To reset the key setting to default, right-click the appropriate key from the list and select Reset to default.

Configure the Passwords and Account Lockout Policy in the VMware Host Client

For ESXi hosts, you must use a password with predefined requirements. You can change the required password length, character class requirements, or allow passphrases, all using the Security.PasswordQualityControl advanced option. You can also set the number of passwords to remember for each user using the Security.PasswordHistory advanced option. This setting prevents duplicate or similar passwords. The Security.PasswordMaxDays advanced option allows you to set up the maximum number of days between password changes.

Note: Always perform additional testing after you change the default password settings.

If you attempt to log in with incorrect credentials, the account lockout policy specifies when and for how long the system locks your account.

ESXi Passwords

ESXi enforces password requirements for access.

  • By default, when you create a password, you must include a mix of characters from any three of the following four character classes: lowercase letters, uppercase letters, numbers, and special characters such as underscore or dash.
  • By default, the password must contain a length of at least 7 characters and a maximum of 40 characters.
  • Passwords must not contain a dictionary word or part of a dictionary word.
  • Passwords must not contain the user name or parts of the user name.
Note:

An uppercase character that begins a password does not count toward the number of character classes used. A number that ends a password does not count toward the number of character classes used.

Example of ESXi Passwords

The following password candidates illustrate potential passwords if the option is set as follows:

retry=3 min=disabled,disabled,disabled,7,7

With this setting, a user is prompted up to three times (retry=3) for a new password that is not sufficiently strong or if the password was not entered correctly twice. Passwords with one or two character classes and password phrases are not allowed, because the first three items are deactivated. Passwords from three and four character classes require 7 characters.

The following password candidates meet the password requirements:

  • xQaTEhb!: Contains eight characters from three character classes.
  • xQaT3#A: Contains seven characters from four character classes.

The following password candidates do not meet the password requirements:

  • Xqat3hi: Begins with an uppercase character, reducing the effective number of character classes to two. The minimum number of required character classes is three.
  • xQaTEh2: Ends with a number, reducing the effective number of character classes to two. The minimum number of required character classes is three.
Password Quality Control

You can control the quality of passwords by using the Security.PasswordQualityControl advanced option.

Security.PasswordQualityControl consists of several settings that follow the pattern:

retry=N min=N0,N1,N2,N3,N4 max=N passphrase=N similar=permit|deny
Password Quality Control Settings Description Default
retry=N The number of times the user must provide a new password if the password is incorrect or not sufficiently strong. retry=3
min=N0,N1,N2,N3,N4 Character class and the passphrase minimum length requirement.
  • N0 is minimum length of passwords from a single character class.
  • N1 is minimum length of passwords from two character classes.
  • N2 is minimum length for a passphrase.
  • N3 is minimum length for three character classes.
  • N4 is minimum length for four character classes.
You can use disabled to disallow a password with the specified number of character classes.		 min=disabled,disabled,disabled,7,7
max=N The maximum allowed password length. max=40
passphrase=N The number of words required for a passphrase. To make sure that the passphrase is recognized, do not set N2 from the min setting to disabled. passphrase=3
similar=permit|deny Indicates whether a password is allowed to be similar to the old password. To use this setting, make sure that you set the Security.PasswordHistory option to a non-zero value.

Starting with vSphere 8.0 Update 1, the default value is 5.

similar=deny
ESXi Passphrase

Instead of a password, you can use a passphrase. Passphrases are deactivated by default. You can change the default setting by using the Security.PasswordQualityControl advanced option.

For example, you can change the option to the following.

retry=3 min=disabled,disabled,16,7,7

This example allows passphrases of at least 16 characters. The passphrase must consist of at least 3 words, separated by spaces.

Example Password History and Rotation Policy

To remember history of 6 passwords, set the Security.PasswordHistory option to 6.

To enforce a 90 day password rotation policy, set the Security.PasswordMaxDays option to 90.

ESXi Account Lockout Policy

Users are locked out after a preset number of consecutive failed attempts. By default, users are locked out after 5 consecutive failed attempts in 3 minutes and a locked account is unlocked automatically after 15 minutes by default. You can change the maximum allowed failed attempts and the period of time in which the user account is locked out by using the Security.AccountLockFailures and Security.AccountUnlockTime advanced options.

To configure the administrator passwords and account lockout behaviour, perform the following steps.

Procedure

  1. Click Manage in the VMware Host Client inventory and click Advanced Settings.

    Option

    Action

    Configure the required password length, character class requirement, or allow passphrases

    1. Enter Security.PasswordQualityControl in the Search text box and click the Search icon.

    2. Right-click Security.PasswordQualityControl and select Edit option from the drop-down menu.

    Configure the number of passwords to remember for each user

    1. Enter Security.PasswordHistory in the Search text box and click the Search icon.

    2. Right-click Security.PasswordHistory and select Edit option from the drop-down menu.

      Note: Zero (0) deactivates password history.

    Configure the maximum number of days between password changes

    1. Enter Security.PasswordMaxDays in the Search text box and click the Search icon.

    2. Right-click Security.PasswordMaxDays and select Edit option from the drop-down menu.

    Configure the number of failed login attempts allowed before lockout

    1. Enter Security.AccountLockFailures in the Search text box and click the Search icon.

    2. Right-click Security.AccountLockFailures and select Edit option from the drop-down menu.

      Note:

      Zero (0) deactivates account locking.

    Configure the period of time in which the user's account is locked out

    1. Enter Security.AccountUnlockTime in the Search text box and click the Search icon.

    2. Right-click Security.AccountUnlockTime and select Edit option from the drop-down menu.

    The Edit option dialog box opens.

  2. In the New value text box, enter the new setting.
  3. Click Save.
  4. (Optional) To reset the key setting to default, right-click the appropriate key from the list and select Reset to default.

Configure Syslog in the VMware Host Client

To configure the syslog service, you can use the VMware Host Client.

Procedure

  1. Click Manage in the VMware Host Client inventory and click Advanced Settings.
  2. In the Search text box, enter the name of the setting that you want to change and click the Search icon.
    Option Description
    Syslog.global.LogHost Remote host to which syslog messages are forwarded and the port on which the remote host receives syslog messages. You can include the protocol and the port, for example, protocol://hostName1:port where protocol can be udp, tcp, or ssl. You can use only port 514 for UDP. The ssl protocol uses TLS 1.2. For example: ssl://hostName1:1514. The value of port can be any decimal number between 1 and 65535.

    While no hard limit to the number of remote hosts to receive syslog messages exists, it is recommended to keep the number of remote hosts to five or less.
    Syslog.global.logCheckSSLCerts Enforce checking of the SSL certificates when you log in to a remote host.
    Syslog.global.defaultRotate Maximum number of archives to keep. You can set this number globally and for individual subloggers.
    Syslog.global.defaultSize Default size of the log, in KB, before the system rotates logs. You can set this number globally and for individual subloggers.
    Syslog.global.LogDir Directory where logs are stored. The directory can be on mounted NFS or VMFS volumes. Only the /scratch directory on the local file system is persistent across reboots. Specify the directory as [datastorename] path_to_file, where the path is relative to the root of the volume backing the datastore. For example, the path [storage1] /systemlogs maps to the path /vmfs/volumes/storage1/systemlogs.
    Syslog.global.logDirUnique Selecting this option creates a subdirectory with the name of the ESXi host under the directory specified by Syslog.global.LogDir. A unique directory is useful if the same NFS directory is used by multiple ESXi hosts.
  3. Right-click the setting name and select Edit option from the drop-down menu.
    The Edit option dialog box opens.
  4. To perform the SSL certificates check when you log in to a remote host, click True from the New value.
  5. Click Save.
  6. (Optional) To reset the key setting to default, right-click the appropriate key from the list and select Reset to default.

Configure Advanced TLS/SSL Key Options

You can configure the security protocols and cryptographic algorithms that are used to encrypt communications with the ESXi host.

For more information, see the VMware KB article at https://kb.vmware.com/s/article/79476.

The Transport Layer Security (TLS) key secures communication with the host using the TLS protocol. Upon first boot, the ESXi host generates the TLS key as a 2048-bit RSA key. Currently, ESXi does not implement automatic generation of ECDSA keys for TLS. The TLS private key is not intended to be serviced by the administrator.

The SSH key secures communication with the ESXi host using the SSH protocol. Upon first boot, the system generates the SSH key as a 2048-bit RSA key. The SSH server is deactivated by default. SSH access is intended primarily for troubleshooting purposes. The SSH key is not intended to be serviced by the administrator. Logging in through SSH requires administrative privileges equivalent to full host control. To enable SSH access, see Enable the Secure Shell (SSH) in the VMware Host Client.

You can configure the following ESXi host security key settings.
Note: The UserVars.ESXiVPsAllowedCiphers security key setting only affects I/O filters.
Key Default Description
UserVars.ESXiVPsAllowedCiphers !aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES The default cipher control string.
Config.HostAgent.ssl.keyStore.allowAny False You can add any certificate to the ESXi CA trust store.
Config.HostAgent.ssl.keyStore.allowSelfSigned False You can add non-CA self-signed certificates to the ESXi CA trust store, that is, certificates that do not have the CA bit set.
Config.HostAgent.ssl.keyStore.discardLeaf True Discards leaf certificates added to the ESXi CA trust store.

To configure the ESXi security key settings:

Procedure

  1. Click Manage in the VMware Host Client inventory and click Advanced Settings.
  2. Enter the security key in the Search text box and click the Search icon.
  3. Right-click the security key and select Edit option from the drop-down menu.
    The Edit option dialog box opens.
  4. In the New value field entre the new value and click Save.
  5. (Optional) To reset the key setting to default, right-click the appropriate key from the list and select Reset to default.

Configure Userworld Memory Zeroing

With VMware Host Client, you can use the advanced option Mem.MemEagerZero to determine how pages are zeroed out for virtual machines and user space applications.

To zero all pages when they allocated to virtual machines and user space applications, set Mem.MemEagerZero to one (1). If the memory is not reused, this setting prevents exposing the information from a virtual machine or user space applications to other clients while preserving the previous content in memory.

When you set Mem.MemEagerZero to 1, pages are zeroed when a user space application exits. For virtual machines, such pages are zeroed if:
  • The virtual machine is powered off.
  • The virtual machine pages are migrated.
  • The ESXi host reclaims virtual machines memory.
Note: For virtual machines, you can obtain this behaviour by setting the sched.mem.eagerZero advanced option to TRUE.

For information about setting the advanced virtual machine options, see the vSphere Resource Management documentation.

To configure the userworld memory zeroing, perform the following steps.

Procedure

  1. Click Manage in the VMware Host Client inventory and click Advanced Settings.
  2. Enter Mem.MemEagerZero in the Search text box and click the Search icon.
  3. Right-click Mem.MemEagerZero and select Edit option from the drop-down menu.
    The Edit option dialog box opens.
  4. In the New value text box, enter the new value.

    The default value is zero (0).

  5. Click Save.
  6. (Optional) To reset the key setting to default, right-click the appropriate key from the list and select Reset to default.

Change Autostart Configuration in the VMware Host Client

Configure autostart options for the ESXi host to set up when the host starts and stops.

Procedure

  1. Click Manage in the VMware Host Client inventory and click System.
  2. Click Autostart.
  3. Click Edit settings.
  4. Select Yes to enable changing the autostart configuration.
    Option Description
    Start delay After you start the ESXi host, it starts powering on the virtual machines that are configured for automatic startup. After the ESXi host powers on the first virtual machine, the host waits for the specified delay time and then powers on the next virtual machine.
    Stop delay Stop delay is the maximum time the ESXi host waits for a shutdown command to complete. The order in which virtual machines are shut down is the reverse of their startup order. After the ESXi host shuts down the first virtual machine within the time that you specify, the host shuts down the next virtual machine. If a virtual machine does not shut down within the specified delay time, the host runs a power off command and then starts shutting down the next virtual machine. The ESXi host shuts down only after all virtual machines are shut down.
    Stop action Select a shut down action that is applicable to the virtual machines on the host when the host shuts down.
    • System default
    • Power off
    • Suspend
    • Shut down
    Wait for heartbeat Select Yes to enable the Wait for heartbeat option. You can use this option if the guest operating system of the virtual machine has VMware Tools installed. After the ESXi host powers on the first virtual machine, the host immediately powers on the next virtual machine. The startup order in which virtual machines are powered on continues after the virtual machine receives the first heartbeat.
    If you set a delay option to -1, the system uses the default option.
  5. Click Save.

Edit the Time Configuration of an ESXi Host in the VMware Host Client

By using the VMware Host Client, you can configure the time settings of a host manually or can synchronize the time and date of the host with an NTP or a PTP server. NTP provides millisecond timing accuracy and PTP maintains microsecond timing accuracy.

The NTP service on the host periodically takes the time and date from the NTP server. You can use the Start, Stop, or Restart buttons to change the status of the NTP service on the host at any time regardless of the selected startup policy for the NTP service.

PTP provisions precise time synchronization for the virtual machines within a network. To change the PTP service on the host at any time, you can use the Start, Stop, or Restart buttons. Starting or stopping the PTP service automatically activates or deactivates PTP. To apply the change when you activate or deactivate PTP manually, start or stop the PTP service.

For more information about services, see Manage Services in the VMware Host Client.

Note: The NTP and PTP services cannot run simultaneously.

Procedure

  1. Click Manage in the VMware Host Client inventory.
  2. On the System tab, click Time & date.
  3. Set the time and date for the host.
    Option Action
    Manually configure the date and time on this host
    1. Click Edit NTP Settings.

      The Edit NTP Settings dialog box appears.

    2. Set the time and date for the host manually.
    3. Click Save.
    Use Network Time Protocol (Enable NTP client)
    1. Click Edit NTP Settings.

      The Edit NTP Settings dialog box appears.

    2. Select the Use Network Time Protocol radio button.
    3. In the NTP Servers text box, enter the IP addresses or host names of the NTP servers that you want to use.
    4. From the NTP Service Startup Policy drop-down menu, select an option for starting and stopping the NTP service on the host.
      • Start and stop with port usage. Starts or stops the NTP service when the NTP client port is activated or deactivated for access in the security profile of the host.
      • Start and stop with host. Starts and stops the NTP service when the host powers on and shuts down.
      • Start and stop manually. Enables manual starting and stopping of the NTP service. If you select the Start and stop manually policy, the status of the NTP service changes only when you use the UI controls.
    5. Click Save.
    Use Precision Time Protocol (Enable PTP client)
    1. Click Edit PTP Settings.
    2. Select the Enable check box.
    3. From the Network interface drop-down menu, select a network interface.

      The IPv4 and Subnet mask appear.

    4. Click Save.